ssl proxy

assets/nginx-ssl.conf

@@ -0,0 +1,54 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name editoria.figli.io;
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  server_name editoria.figli.io;
+
+  charset utf-8;
+
+  location = /favicon.ico { access_log off; log_not_found off; }
+  location = /robots.txt  { access_log off; log_not_found off; }
+
+  access_log on;
+  # error_log /var/logs/nginx/editoria.figli.io/error.log;
+
+  sendfile off;
+
+  client_max_body_size 100m;
+
+  #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate "/etc/letsencrypt/live/editoria.figli.io/fullchain.pem";
+  ssl_certificate_key "/etc/letsencrypt/live/editoria.figli.io/privkey.pem";
+  ssl_dhparam /etc/nginx/ssl/certs/editoria.figli.io/dhparam.pem;
+  ssl_session_cache shared:SSL:1m;
+  ssl_session_timeout 10m;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_prefer_server_ciphers  on;
+
+  add_header Strict-Transport-Security "max-age=31536000;
+  #includeSubDomains" always;
+
+  location ~ /\.ht {
+    deny all;
+  }
+
+  location / {
+    proxy_pass http://127.0.0.1:9005;
+    proxy_set_header    Host $host;
+
+    proxy_connect_timeout 30;
+    proxy_send_timeout 30;
+  }
+
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options SAMEORIGIN;
+}

readme.md

@@ -264,3 +264,80 @@ docker-compose -f docker-compose.production.yml up
 ```
 docker system prune
 ```
+
+##  SSL
+
+```sh
+apt-get install --yes nginx certbot
+systemctl stop nginx
+certbot certonly --standalone -d your.domain.ltd --cert-name your.domain.ltd
+systemctl start nginx
+mkdir -p /etc/nginx/ssl/certs/your.domain.ltd
+openssl dhparam -out /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem 2048
+touch /var/spool/cron/crontabs/root
+crontab -l > /tmp/mycron
+echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name your.domain.ltd" >> /tmp/mycron
+crontab /tmp/mycron
+rm /tmp/mycron
+
+echo '
+server {
+  listen 80;
+  listen [::]:80;
+  server_name your.domain.ltd;
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  server_name your.domain.ltd;
+
+  charset utf-8;
+
+  location = /favicon.ico { access_log off; log_not_found off; }
+  location = /robots.txt  { access_log off; log_not_found off; }
+
+  access_log on;
+  # error_log /var/logs/nginx/your.domain.ltd/error.log;
+
+  sendfile off;
+
+  client_max_body_size 100m;
+
+  #SSL Certificates
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate "/etc/letsencrypt/live/your.domain.ltd/fullchain.pem";
+  ssl_certificate_key "/etc/letsencrypt/live/your.domain.ltd/privkey.pem";
+  ssl_dhparam /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem;
+  ssl_session_cache shared:SSL:1m;
+  ssl_session_timeout 10m;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+  ssl_prefer_server_ciphers  on;
+
+  add_header Strict-Transport-Security "max-age=31536000;
+  #includeSubDomains" always;
+
+  location ~ /\.ht {
+    deny all;
+  }
+
+  location / {
+    proxy_pass http://127.0.0.1:9005;
+    proxy_set_header    Host $host;
+
+    proxy_connect_timeout 30;
+    proxy_send_timeout 30;
+  }
+
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
+  add_header X-Frame-Options SAMEORIGIN;
+}
+' > /etc/nginx/sites-available/your.domain.ltd.conf
+
+ln -s /etc/nginx/sites-available/your.domain.ltd.conf /etc/nginx/sites-enabled/
+
+systemctl restart nginx
+```